February-reported breaches affect 1.4 million patients

More than 1.4 million people had data exposed in healthcare breaches reported to the federal government last month.

That's from a collective 35 breaches that providers, health plans and their business associates in February reported to HHS' Office for Civil Rights, the agency that maintains the government's database of healthcare breaches. In terms of patients affected, that's down 32.3% from February 2019, when organizations reported 32 breaches affecting 2.1 million people.

But it's up from this past January, when organizations reported 49 breaches affecting 629,000 people.

A laptop theft in Oregon accounted for almost half of the 1.4 million figure.

Medicaid coordinated-care organization Health Share of Oregon on February 5 reported that hundreds of thousands of its members' health and demographic information had been exposed after a break-in that took place at its transportation vendor's office. The break-in involved the theft of a laptop from the vendor, GridWorks, which was not encrypted.

The laptop, stolen in November, had contained data on an estimated 650,000 current and former members—representing the largest breach reported to the OCR so far this year.

Health Share said it learned about the data breach in January. HHS gives HIPAA-covered entities 60 days from when they discover a breach to notify the department

Three other breaches reported to the OCR in February affected more than 100,000 people each, all of which involved hacking. Those incidents—reported by New York accounting firm BST & Co. CPAs, Georgia home care provider Aveanna Healthcare and Overlake Medical Center & Clinics in Washington state—collectively compromised data from 445,077 people.

In total, hacking and IT incidents accounted for roughly two-thirds of the 35 breaches submitted to the OCR in February. The remaining breaches reported last month resulted from theft, loss, improper disposal, unauthorized access or unauthorized disclosure of records.

The 10th largest incident in February, reported to the OCR by an eye care practice in Texas on Feb. 13, involved an improper disposal of nearly 8,000 paper records.

The practice, Today's Vision Willowbrook, was acquired by eye care provider MyEyeDr. in February 2019. Later that year, in May 2019, Today's Vision Willowbrook discovered that records of patients seen at the practice between 1997 and 2013 had been thrown away in a nearby dumpster, rather than being securely destroyed.

An investigation did not find any evidence that the records were discarded by employees of Today's Vision Willowbrook or MyEyeDr., according to a notice on MyEyeDr.'s website.